In the two articles of this series we learned about Microsoft's Diagnostic and Recovery Toolset (DaRT), how to install DaRT, how to create a bootable DaRT CD, and how you can use the DaRT tools on your DaRT CD to try to resolve issues preventing Windows-based computers from booting successfully. The previous article showed how to use System File Checker (SFC), which is one of the DaRT tools; this article examines some additional DaRT tools.

Examining Other DaRT Tools

Let's return to the MSDaRT Tools screen, which is displayed once you've booted your problem computer using your DaRT CD and answered all the prompts (see the previous article in this series for how to boot a computer using your DaRT CD):

Figure 1: MSDaRT Tools screen

Let's explore some of the different DaRT tools available. Clicking the Explorer option on the MSDaRT Tools screen opens Windows Explorer:

Figure 2: Windows Explorer

Note that hidden and system files are displayed by default in the Explorer window. By using the options available from the menu bar and from the context menu displayed when you right-click on items, you can perform common tasks like creating folders, copying files, and so on. You can also map network drives if you have network connectivity configured manually or through DHCP. If you chose not to remap drives when you booted from your DaRT CD, you'll also see the hidden System Reserved partition where the boot configuration database files for the computer are stored.

Using ERD Registry Editor, you can make modifications to the registry on the problem computer. Note that there is no HKEY_CURRENT_USERS registry hive displayed here since no user is logged on to the computer you are troubleshooting. Note that you can also fully browse and edit the SAM and SECURITY subtrees of the HKEY_LOCAL_MACHINE hive. These registry subtrees contain are hidden by default on normal Windows installations.

Using this dialog, you can search for files and folders on the target system. You can search by name, use wildcards in your searches, search by time/date, and search for files that fall within a specified size range. Once you've found the file or folder you're searching for, you can righ-click on it to display its properties (you can also do this from within the Explorer tool):

Figure 5: Viewing the properties of a folder

Clicking the Permissions button lets you view the NTFS permissions on the file or folder.

You can also right-click on a folder in your search results and open it in Explorer:

Figure 6: Opening the folder in Explorer

Double-clicking on a log file allows you to view the file using Notepad:

If the target system became unstable after the latest security hotfixes were downloaded and installed from Windows Update, you can use this wizard to uninstall them one by one until your system becomes stable again. Of course, if you can actually boot into Windows you can use System Restore instead which is simpler, but we're assuming here that the system won't boot.

Clicking Next causes DaRT to search for all installed hotfixes on the system:

Figure 9: List of installed hotfixes

If you scroll down to the most recent hotfix, select it and click Details, the Deployment Image Servicing and Management (DISM) utility will open the package and display detailed information concerning the hotfix:

Figure 10: Viewing information about a hotfix

To remove a hotfix from the system, select the checkbox for the hotfix and continue through the wizard.

Some troubleshooting scenarios (plus a couple of DaRT tools) need network connectivity in order to resolve properly. If you have a DHCP server on your network, DaRT can lease an IP address as described in the previous article of this series. If there is no DHCP server available however, you can click the TCP/IP Config option on the MSDaRT Tools screen to open the TCP/IP Configuration dialog, which lets you manually configure an IP address, subnet mask, default gateway and DNS server addresses to the target system:

Figure 11: Manually assigning an IP address to the target system

Sometimes a computer can become unbootable because of malware infection. If that happens, boot it using your DaRT CD and click the Standalone System Sweeper option on the MSDaRT Tools screen to launch the Standalone System Sweeper:

Figure 12: Step 1 of using the Standalone System Sweeper

When the Standalone System Sweeper opens, make sure you click the Check For Updates Now button shown here:

Figure 13: Step 2 of using the Standalone System Sweeper

Now click Download to get the latest malware definition updates from the Microsoft Malware Protection Center. Note that you'll need network (and Internet) connectivity to do this:

Figure 14: Step 3 of using the Standalone System Sweeper

The next screen shows the latest malware definitions being downloaded. This may take a while:

Figure 15: Step 4 of using the Standalone System Sweeper

Once the definitions have been downloaded, you can use the Scan button on the toolbar to scan the target system for malware. You have the option of performing either a quick scan, full scan, or custom scan:

Figure 16: Step 5 of using the Standalone System Sweeper

The next screen shows a scan underway. The yellow bang (!) icon indicates malware has been found:

Figure 17: Step 6 of using the Standalone System Sweeper

Once the scan is finished, you can either click Clean System to try to remove the malware infection or you can click Review Detected Items to see what Standalone System Sweeper has found on the system. We'll choose the latter option:

Figure 18: Step 7 of using the Standalone System Sweeper

Clicking the Review Detected Items option prompts you to send the malware infection info to Microsoft so it can be added to their database for analysis:

Figure 19: Step 8 of using the Standalone System Sweeper

After clicking Yes (or No) in the above dialog, the Standalone System Sweeper Warning dialog box opens and displays a list of detected malware items. Clicking the Action control lets you Remove, Quarantine or Allow the malware (the default is Remove):

Figure 20: Step 9 of using the Standalone System Sweeper

To remove the malware, click the Clean System. If removal is successfully, this will be indicated under the Status column:

Figure 21: Step 10 of using the Standalone System Sweeper

Another useful DaRT tool is Computer Management:

Figure 22: Computer Management

As you can see above, the version of Computer Management included in DaRT only lets you do the following:

View system information

View event logs

View (and optionally delete) autoruns

View (and optionally change the startup mode) of drivers and services

View and manage disks and volumes

Another useful DaRT tool is File Restore, which lets you try and files users have accidentally deleted if they've also emptied their Recycle Bin:

Another useful DaRT Tool is Locksmith, which lets you reset the password of user accounts on the target computer:

Figure 24: Locksmith

Locksmith even lets you reset the local Administrator account if its password has been forgotten:

Figure 25: Locksmith can reset the local Administrator account

Another useful DaRT tool is Disk Commander:

Figure 26: Disk Commander

You can use Disk Commander to restore the system's master boot record and partition information (malware infection can often corrupt these, making the system unbootable):

Figure 27: Disk Commander options

One thing Disk Commander won't fix is problems with your boot configuration database (BCD). But if your BCD is corrupted, you'll see the below dialog before you get to the MSDaRT Tools screen which lets you repair the BCD so the Windows installation can be located on the system:

Figure 28: Repairing corrupt BCD

Finally, if you're not sure which DaRT tool to use, you can always try the Solution Wizard:

Figure 29: Solution Wizard

This wizard walks you through a series of questions to help you use the DaRT tools:

Figure 30: Using the Solution Wizard

Conclusion

In this article and the previous one, we've examined all the various DaRT tools except for the Crash Analyzer, which you can use to help analyze the cause of stop messages (blue screen of death) when they appear. We'll cover that topic in the next and final article in this series.

If you would like to read the other parts in this article series please go to

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions.

Featured Links

How to Prevent Security Breaches

Join Brien Posey, Microsoft MVP, for a discussion of the increasing trend of data breaches and real-life lessons learned, including recent examples such as the Anthem breach. Brien will also discuss future trends based on recent data breach investigations and address a range of topics including:

How and why do data breaches happen and which firms are more exposed?

What is the cost that data breaches hold for organizations?

What can companies do to stay protected?

The webinar includes a live Q&A session with our expert presenters to answer your top questions.

Online Survey: The Definitive State of Load Balancing and High Availability

MSExchange.org, KEMP Technologies and numerous MSFT and VMware experts worldwide would like to invite you to participate in our confidential 6 question survey on Load Balancing and High Availability. This survey takes about 6 minutes and all participants who wish can leave their email address and register to win a $50 Amazon gift certificate.

The results of this survey will be used to create a white paper on the State of Load Balancing. Everyone who registers will also get a copy of the white paper.

PowerShell Essentials (Part 7)

In this article, I'll explain how you can pass values to a PowerShell function... Read More

Tips and Tricks Using the Windows Hosts File

Here I will discuss how to access, open, and modify the Windows hosts file. I’ll give some tips and advice on making redirects, whether you want to block or filter sites or create shortcuts to certain websites... Read More